HIPAA for Canadians: PIPEDA, PHIPA, and BAA Triggers

HIPAA does not apply to Canadian organizations operating in Canada; Canadian health and personal data is governed by PIPEDA federally, by provincial health laws such as Ontario's PHIPA, and by Quebec's Law 25, while HIPAA reaches a Canadian business only when it handles protected health information (PHI) for a US Covered Entity as a Business Associate. For a Canadian clinic, SaaS vendor, or agency, the practical question is not "does HIPAA apply" but "which combination of Canadian law and US contract applies to each data flow." This guide maps that stack.

TL;DR: Quick answer

HIPAA binds Covered Entities and Business Associates as defined at 45 CFR § 160.103; a Canadian clinic treating Canadian patients is neither, so PIPEDA or provincial law governs it.
A Canadian company processing PHI for a US Covered Entity becomes a Business Associate, must sign a BAA under 45 CFR §§ 164.308(b) and 164.504(e), and is directly subject to the Security Rule and HHS OCR enforcement.
PIPEDA's federal reform bill C-27 died when Parliament was prorogued in January 2025; as of June 2026 a successor bill is expected but not law, so PIPEDA remains the governing federal statute.
Quebec's Law 25 is fully in force, with administrative penalties up to CAD 10 million or 2% of worldwide turnover and penal fines up to CAD 25 million or 4%.
The rule runs both ways: a US Covered Entity must protect its Canadian patients' records as PHI under HIPAA, while a Canadian organization protects the same kind of data under PIPEDA or provincial law instead.

Why HIPAA stops at the border

HIPAA's scope is defined by entity status, not geography of the patient. It applies to US healthcare providers conducting electronic standard transactions, health plans, clearinghouses, and the Business Associates that serve them (45 CFR § 160.103). A Toronto physiotherapy clinic, a Vancouver telehealth startup serving only Canadians, and a Montreal billing company with no US clients have no HIPAA obligations at all. Their rules come from Canadian statutes. The broader comparison of how national frameworks differ is covered in our guide to HIPAA vs international privacy laws.

The Canadian privacy stack: PIPEDA, provincial PIPAs, PHIPA, Law 25

Canada regulates by layers rather than by sector alone:

PIPEDA (Personal Information Protection and Electronic Documents Act) applies to private-sector organizations collecting personal information in the course of commercial activity. It is built on ten fair information principles, with meaningful consent at the center and breach reporting to the Office of the Privacy Commissioner when a breach creates a real risk of significant harm.
Alberta and British Columbia PIPAs are "substantially similar" provincial laws that displace PIPEDA for intra-provincial matters.
Ontario PHIPA governs health information custodians such as physicians, hospitals, and clinics, and the service providers that handle personal health information for them. Our HIPAA vs PHIPA comparison goes deeper on the Ontario rules.
Quebec Law 25 modernized Quebec's private-sector regime in phases through 2024 and is fully in force, adding mandatory privacy officers, privacy impact assessments before sending data outside Quebec, and the steepest penalties in Canada.

Reform status as of June 2026: the federal modernization bill C-27, which would have replaced PIPEDA's core with the Consumer Privacy Protection Act, died on the order paper when Parliament was prorogued in January 2025. A successor federal privacy bill is widely expected, but none has passed. Canadian businesses should plan against PIPEDA as written, plus their provincial overlays.

When does HIPAA actually touch a Canadian business?

Two scenarios matter, and they are often confused.

Scenario 1: You are a Business Associate of a US Covered Entity

This is the real trigger. A Canadian medical billing firm, transcription service, EHR vendor, web agency, or hosting reseller that creates, receives, maintains, or transmits PHI on behalf of a US Covered Entity meets the Business Associate definition at 45 CFR § 160.103. The client must obtain a BAA (45 CFR § 164.504(e)), and the Canadian firm then owes direct compliance with the Security Rule safeguards at 45 CFR §§ 164.308, 164.310, and 164.312, breach reporting under 45 CFR §§ 164.400-414, and is exposed to HHS OCR civil money penalties, which in 2026 reach $73,011 per violation with a $2,190,294 annual cap per provision (45 CFR § 102.3). Enforcement against an offshore entity is practically harder, but the contractual and legal exposure is real, and US clients increasingly audit it.

Scenario 2: You are a Canadian clinician with US patients

Seeing US patients does not by itself make a Canadian provider a Covered Entity. The test is whether you transmit health information electronically in connection with US standard transactions, typically billing US insurers or Medicare. A Canadian telehealth practice that bills US health plans electronically can meet the Covered Entity definition for that activity. A practice that charges US patients directly, with no electronic claims, generally does not. Cross-border licensure and state telehealth rules are separate questions for counsel. The mirror-image analysis for non-US website operators generally is in our companion piece, does HIPAA only apply to US sites.

Dual compliance: meeting the BAA and Canadian law at once

A Canadian Business Associate must satisfy both regimes simultaneously. The overlap is substantial: encryption (45 CFR § 164.312(a)(2)(iv) and (e)), access controls, audit logging (§ 164.312(b)), and incident response serve PIPEDA's safeguards principle too. The differences are procedural. HIPAA requires a documented risk analysis (45 CFR § 164.308(a)(1)(ii)(A)) and six-year documentation retention (§ 164.316(b)(2)(i)); PIPEDA requires breach record-keeping for 24 months and OPC reporting on the real-risk-of-significant-harm standard; PHIPA and Law 25 add their own notice rules. Run one control set mapped to all applicable obligations rather than parallel programs.

Cross-border hosting and data residency

Hosting decisions raise the most questions from Canadian clients. The current landscape:

No Canadian federal law flatly prohibits storing personal information in the US. PIPEDA permits cross-border transfers if the organization ensures comparable protection by contract and is transparent with individuals, per OPC guidance.
Quebec's Law 25 requires a privacy impact assessment before communicating personal information outside Quebec, concluding the data will receive adequate protection.
Ontario PHIPA does not ban out-of-country storage, but custodians must use agreements that restrict their service providers' use of personal health information.
Some public-sector statutes (for example in British Columbia and Nova Scotia) impose stricter residency expectations on public bodies.

For a Canadian vendor serving US healthcare clients, the practical answer is usually US-region, BAA-covered infrastructure for the PHI workload, documented in both the BAA and the Canadian transfer assessment. hipaacomplianthosting.com provides managed HIPAA hosting on AWS, including for Canadian-owned companies operating under BAAs; that is our business. See our HIPAA cloud hosting service and the HIPAA-compliant hosting guide for what the stack includes.

Frequently asked questions

Does HIPAA apply to Canadian companies?

Not by default. It applies only when a Canadian company acts as a Business Associate of a US Covered Entity under 45 CFR § 160.103, in which case the BAA and the Security Rule bind it directly.

What is the Canadian equivalent of HIPAA?

There is no single equivalent. PIPEDA governs commercial activity federally, Alberta and BC have their own PIPAs, Ontario's PHIPA covers health information custodians, and Quebec's Law 25 governs that province's private sector.

Is Bill C-27 still pending?

No. C-27 died when Parliament was prorogued in January 2025. As of June 2026 a successor federal privacy bill is anticipated but has not been enacted, so PIPEDA remains in force unchanged.

Can a Canadian company host US patient data in Canada?

HIPAA does not require US data residency, so yes, if the hosting arrangement is BAA-covered and meets the Security Rule. Many US clients still prefer US-region hosting for enforcement and latency reasons, so confirm expectations in the BAA.

Does a Canadian clinic need a BAA with its own vendors?

Not a HIPAA BAA, unless US PHI is involved. PHIPA and PIPEDA instead require service-provider agreements with comparable confidentiality and safeguard terms.

This article is general information, not legal advice. Consult counsel on PIPEDA, provincial law, and any BAA obligations, and base your safeguards on a documented risk analysis. Reviewed June 2026.

How HIPAA Applies to Canadians, and Where PIPEDA Takes Over